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Abstract —It has gained broad attention to understand the 
timed distributed trace of a cyber-physical system at runtime, 
which is often achieved by verifying properties over the observed 
trace of system execution. However, this verification is facing 
severe challenges. First, in realistic settings, the computing entities 
only have imperfectly synchronized clocks. A proper timing 
model is essential to the interpretation of the trace of system 
execution. Second, the specification should be able to express 
properties with real-time constraints despite the asynchrony, and 
the semantics should be Interpreted over the currently-observed 
and continuously-growing trace. To address these challenges, we 
propose PARO - the partially synchronous system observation 
framework, which 1) adopts the partially synchronous model of 
time, and introduces the lattice and the timed automata theories 
to model the trace of system execution; il) adopts a tailored subset 
of TCTL to specify temporal properties, and defines the 3-valued 
semantics to interpret the properties over the currently-observed 
finite trace; iii) constructs the timed automaton corresponding 
to the trace at runtime, and reduces the satisfaction of the 
3-valued semantics over finite traces to that of the classical 
boolean semantics over infinite traces. PARO is Implemented over 
MIPA - the open-source middleware we developed. Performance 
measurements show the cost-effectiveness of PARO in different 
settings of key environmental factors. 

1. Introduction 

Advances in sensor and actuator technologies have given 
rise to the influx of an increasing number of mobile robots with 
sensing and controlling abilities, besides the basic abilities of 
computation and communication. Distributed systems formed 
by the interconnections of such mobile robots enable a variety 
of novel applications. A typical example of such distributed 
systems is a group of mobile robots for collaborative tasks, 
e.g., patrolling a chemical plant m, la, ID. 

Though the systems of collaborating mobile robots enable 
various novel applications, they are notoriously difficult to 
program. Each mobile robot executes a program implementing 
one or more distributed algorithms, moves and manipulates 
its environment, and exchanges messages over wireless com¬ 
munication channels with other robots. Even if the high-level 
distributed algorithms for these systems are well-understood. 


* CoiTesponding author. 


failures, timing-errors, and message delays make their imple¬ 
mentation challenging. Moreover, the system of mobile robots 
must be aware of and adaptive to the situation they operate in. 
Eor example, the robots must know the relative locations of 
robots nearby, to collaboratively form some geometric pattern. 

The challenges above motivate us to observe and analyze 
the execution of a distributed system of mobile robots at 
runtime. By understanding the system execution, the system 
developer can delineate and detect symptoms of software bugs. 
The system itself can also achieve awareness of its situation 
to adapt its behavior accordingly. Runtime observation and 
analysis of system execution is an important technique to 
improve system accountability, and is a complement to the 
traditional design time techniques such as model checking Q. 

Runtime observation and analysis of system execution is 
achieved by runtime verifying specified properties over the 
system execution trace. Eor example, the robots are designed 
to satisfy the property Ci: all the robots should gather at the 
assembly point within 15 seconds. By runtime verifying the 
property over the collected execution trace of the robots, we 
can know whether the property is satisfied or violated. The 
results of the verification can further provide useful guidance 
to the developer (e.g., for the debugging of the system) or 
the system itself (e.g., for triggering the runtime adaptation 
of the system). However, runtime verification over the system 
execution trace is facing severe challenges. 

The primary challenge is the intrinsic asynchrony of the 
system. The robots do not share the same notion of time 
and communications among them suffer from uncertain delay 
13, El, 0, 0. The challenge of the asynchrony becomes 
more severe due to the resource constraints on the mobile 
robots, the unreliability of the wireless communications, and 
the interaction with the physical environment. To cope with 
this challenge, a proper timing model fitting the actual system 
is essential to modeling the observed trace of the system 
execution. 

The synchronous model can shield the underlying asyn¬ 
chrony of the system and provide a total-order illusion of all 
the events in the trace. However, the synchronous model is 
overly-optimistic in that the local clocks of the robots are never 
perfectly synchronized in realistic settings El, Q. Reasoning 



properties directly over the trace assumed to be perfectly 
timestamped may lead to the neglect of the potential violation 
of the properties Q. 

The asynchronous model is the most general model since it 
makes no synchrony assumptions about the underlying system 
iSl . However, the asynchronous model is overly-pessimistic in 
that the existing synchrony of the system (e.g., the synchro¬ 
nized, though not perfect, clocks) is completely abandoned. 
The cost of reasoning over the asynchronous model is often 
prohibitively high El, cni . Moreover, the asynchronous model 
can only describe the temporal happen-before relation between 
events in the trace. Properties with real-time constraints (e.g., 
“within 15 seconds” in Ci) cannot be reasoned over the 
asynchronous model. 

Varying from the synchronous model and the asynchronous 
model, the partially synchronous model can appropriately 
model at various levels the synchrony which reasonably exists 
in a realistic distributed system, such as the imperfectly 
synchronized clocks in our motivating scenario. Therefore, 
the cost of reasoning can be effectively restricted, unlike that 
of the asynchronous model Q. Besides, we can also reason 
properties with real-time constraints with the knowledge that 
the trace is imperfectly timestamped, although techniques ded¬ 
icated for handling the uncertainty resulting from the partially 
synchronous model are still in demand. 

Another important challenge arises in the specification of 
system properties of interest to the specifier (i.e., the system 
developer or the system itself). The specifier usually has 
real-time requirements, e.g., in property Ci. To check these 
requirements over the execution trace, we are thus concerned 
with properties with metric-time constraints. To cope with this 
challenge, we should provide a formal specification mechanism 
which can express metric-time properties. Meanwhile, the 
partially synchronous model has the branching-time structure 
due to the uncertainty resulting from the asynchrony, i.e., 
we can derive multiple possible executions of the partially 
synchronous system, besides the actually observed one. Thus, 
the specification should also be able to capture the notion 
of branching time. In addition, as the system executes, the 
observed trace is continuously “growing” to a potentially 
infinite size. The specification should be interpreted over the 
currently-observed (but still growing) finite trace. 

Discussions above necessitate a systematic scheme for 
formal specification and runtime verification of properties with 
metric-time constraints over the execution trace of a partially 
synchronous system. Toward this objective, we propose PARO 
- the partially synchronous system observation framework, 
which consists of three essential parts; 

1) Modeling of the Trace of System Execution. We adopt 
the partially synchronous model of time. The lattice 
theory is employed to model the branching structure 
of the system execution trace, and the timed automata 
theory is employed to model the metric structure of the 
trace. Hence, we model the system execution trace as a 
continuously-growing timed automaton; 

2) Specification of Temporal Properties. TCTL is adopted 
to specify temporal properties over the execution trace. 
TCTL has the branching time structure to cope with the 
asynchrony in the trace. It can also express the metric¬ 


time properties of concern to the specifier. We employ a 
tailored subset of TCTL to trade certain expressiveness for 
the efficiency of verification. We also define the 3-valued 
semantics for the TCTL formulas to be interpreted over 
the currently-observed finite trace; 

3) Verification of the Specified Property at Runtime. We 
first construct the continuously-growing timed automaton 
corresponding to the currently-observed trace in an in¬ 
cremental way. Then, we reduce the satisfaction of the 
3-valued semantics over the finite trace to that of the 
classical boolean semantics over the infinite trace. 


The PARO framework is implemented and evaluated over 
MIPA - the open-source middleware we developed iM, a. 
The performance measurements show the cost-effectiveness of 
PARO in different settings of key environmental factors. A 
case study of the realistic mobile robot gathering scenario is 
also conducted to demonstrate the effectiveness of PARO (as 
detailed in Appendix [^. 


The rest of this paper is organized as follows. In Sec¬ 
tion and IV we discuss the three essential parts of 

the PARO framework. In Section [Vj we present the imple¬ 


mentation and performance measurements. In Section VI 


review the existing work. Section |VII| concIudes the paper with 
a brief summary and the future work. 


we 


IT Modeling of the Trace of System Execution 

Understanding the execution of a distributed system of mo¬ 
bile robots is achieved by verifying specified temporal proper¬ 
ties over the trace of system execution im. A distributed sys¬ 
tem consists of a collection of processes P^'^\ • • • , P^'^\ 
Examples of the processes include a software process manipu¬ 
lating a mobile robot. One checker process Pche is in charge of 
collecting the execution trace of the processes and verifying the 
specified property. In this section, we first discuss the partially 
synchronous model employed to interpret the trace of system 
execution. Then we discuss the modeling of the branching 
structure and the metric structure of the trace with the lattice 
theory and the timed automata theory, respectively. 


A. The Partially Synchronous Model 

In realistic settings, each process may have a local 
clock, and they synchronize their local clocks with an external 
source clock T. The external clock synchronization is widely 
adopted and is especially useful in loosely-coupled networks 
Ca, e.g., the NTP protocol is used for external synchroniza¬ 
tion of the Internet m. 

We model the processes as a partially synchronous system 
with approximately-synchronized real-time clocks towards the 
external source clock. We assume a bound e on the difference 
between local clocks and the source clockj^That is, for each 
event e with local clock timestamp t, the global time (referring 
to the source clock) is bounded by a time interval /(e) = 
[lo, hi] with lo = t — e and hi = t + e0Note that we assume 
the time intervals of the events of the same process are non¬ 
decreasing and are consistent with the process order, and there 

^Note that our framework allows s to vary over time, and here we assume 
a fixed bound e for the ease of interpretation. 

^We assume that the system starts at time 0 for simplicity. 
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Fig. 1. Space time diagram 


are various ways to ensure this assumption 0 . In the following 
sections, unless explicitly stated, we use lo and hi to denote 
the lower and upper bounds of a time interval, respectively. 



Fig. 2. Lattice of CGSs 


B. Modeling the Branching Structure of Time 

We first model the branching structure of time by the lattice 
of consistent global states (i.e., lattice of system snapshots). 
Then we define the possible temporal evolutions of the system 
state by the active-surface-induced CGS sequences. 


1) Lattice of Consistent Global States: As the 
system executes, each process generates its 

(potentially infinite) trace of local states connected by 
evenfi:“eg^\ • • • ”. Each local state is 

defined by the two adjacent events e) and denoted by 

and /ie(s|^^), respectively. According to our timing 
model, the global time of each event can be bounded by 
a time interval [lo,hi]. Thus we can define the '"definitely 
occurred before" relation (denoted by ‘—>^’) between the 
events and the states 0 . For two events ei and 62 , ei —>■ 62 if 

i) they are on the same process and ei./o < 62 .( 0 ; or ii) they 
are on different processes and ei.hi < 62 do. Based on the 
relation between the events, we can further define the relation 
between local states. For two local states si and S 2 , si —> S 2 
if i) they are on the same process and le{si) —t (e(s 2 ); or 

ii) they are on different processes and he{si) —>■ le{s 2 ). As 
shown in Fig. the events (the black dots) are labeled with 
time intervals and the relation between the events is 
explicitly depicted. 


A global state Q = is an n-tuple 

of local states from each Intuitively, a global state is 

consistent if an omniscient external observer could possibly 
observe that the system enters this state. Formally, a global 
state C is consistent iff the constituent local states are pairwise 
concurrent, i.e.. 


C = • • • , V i,j '■ i ^ j :: —>■ 


A Consistent Global State (CGS) denotes a snapshot or a 
meaningful observation of the distributed system ca, ca. 
We use C\k] to denote the constituent local state of CGS 
C. One key notion is that the set of observed CGSs has the 
lattice structure (denoted by LAT) 0. The significance of 
time is that it restricts the possible interleavings of local states, 
which in turn determines the lattice of system snapshots. As 
the system executes, the observed lattice “grows” at runtime, 
to a potentially infinite size. Fig. shows a currently-observed 


lattice of Fig. [T] The dots ‘Q’ denote the CGSs and crosses 
‘x’ denote inconsistent global states. 

We specify predicates over the CGSs to delineate properties 
concerning specific snapshot of the system. The predicates over 
CGSs can be viewed as the labeling of CGSs with letters from 
a finite alphabet AP (i.e., all pre-defined CGS predicates). 
Fig. 1^ is an example where each CGS is labeled with the 
predicates (‘a’ or ‘^a’) it satisfies. 

2) Active-surface-induced CGS Sequences: As the system 
executes, the lattice “grows” and new CGSs will be added to 
LAT as successors of the active surface CGSs 0 . CGSs whose 
immediate successors (consistent or inconsistent global states) 
are not all discovered could have new immediate successors. 
We define these CGSs as the active surface. To formally define 
the active surface, first note that Pche uses a queue Que'^^\l < 
k < n) to store the local states (in FIFO manner) sent from 
each P^^'i ini, HSl, 0 . Let Qmax be the maximal observed 
global state (not necessarily consistent). The active surface is 
defined as; 

Act{LAT) = {C\Ce LAT,3k,C[k] = GmaxM} 

We are concerned with the active surface, because when Pche 
observes a new local state from some process new CGSs 
stem from the active surface 0 . An example of the active 
surface is shown in Fig. 

In order to model the temporal evolution of the system 
state, we define the CGS sequence Seq{Ci,Cj) as a sequence of 
CGSs. The bold line in Fig. [^denotes a CGS sequence. We use 
Seq[k] to denote the CGS of the CGS sequence Seq. 

Active-surface-induced CGS sequences, i.e., CGS sequences 
which originate from the initial CGS and span to the active 
surface CGSs, capture all possible temporal evolutions of 
the system state resulting from the asynchrony 0 . They are 
observed finite prefixes of the potentially infinite system state 
evolutions. Active-surface-induced CGS sequences of LAT are 
defined as: 

Path{LAT) = {Seq{Co,Ci) \ C, e Act{LAT)} 

For example, in Fig. all possible temporal evolutions of the 
system state are CGS sequences starting from Cq and currently 
ending at the active surface CGSs {Ci 3 ,C 23 }. 
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Fig. 3. Definite and possible intervals of a CGS 



Please refer to our previous work for more detailed dis¬ 
cussions on the modeling of asynchronous computations Q, 

ED, Col, CD- 

C. Modeling the Metric Structure of Time 

In this section, we discuss the modeling of the metric 
structure of time, based on the lattice structure discussed 
above. We first discuss the modeling of time information of 
the CGSs of the lattice, and then discuss the modeling of the 
lattice as a timed automaton. 

1) Time Information of the CGSs: As the time of each 
event e is bounded by a global time interval [lo, hi] (as shown 
in Fig. [T]| and each local state s is defined by its adjacent 
events l^s) and he{s), we can define the definite interval and 
possible interval of a local state. The definite interval Idef{s) 
of local state s is 

Idefis) = [le{s).hi,he{s).lo] 

indicating that the process is definitely in local state s when 
the global time is in Idefis). Similarly, the possible interval 
Iposis) of local state s is 

Iposis) = [le{s).lo,heis).hi] 

indicating that the process is possibly in local state s when 
the global time is in Iposis). As in Fig. i idefis[^^) = [(i,n] 
and /pos(si^^) = [4,13] with e = 1. 

Notice that a CGS is a vector of local states from each 
process. We can further define the definite interval and possible 
interval of a CGS. The definite interval IdefiC) of CGS C is 
the intersection of all the definite intervals of the constituent 
local states, i.e., 

IdefiC) = [ max IdefiC[k]).lo, min IdefiC[k]).hi] 

l<k<n l<k<n 

indicating that the system is definitely in CGS C when the 
global time is in IdefiC) (when IdefiC).lo < IdefiC).hi). 
Similarly, the possible interval IposiC) is the intersection of 
all the possible intervals of the constituent local states, i.e., 

IposiC) = [ max IposiC[k]).lo, min IposiC[k]).hi\ 

1 k 77 - 1 k 71 

indicating that the system is possibly in CGS C when the 
global time is in IposiC). Take the CGS Cn in Fig. 1^ as an 
example, IdefiCn) = [6, 7] and /pos(Cii) = [4,9], as shown in 
Fig. 1^ Each CGS of the lattice in Fig. is equipped with time 
intervals, with the upper one indicating the definite interval 
and the lower one indicating the possible interval. 


Fig. 4. Timed automaton TA(LAT) 


2) Lattice as a Timed Automaton: The continuously- 
growing lattice equipped with time intervals can be character¬ 
ized by a continuously-growing timed automaton adapted from 
the classical timed automaton Col, E). The timed automaton 
corresponding to a currently-observed lattice is a tuple: 

TAiLAT) = (Loc, T, Locq, Inv, AP, L, Locp) 

where 

• Loc is a set of locations, i.e., the set of CGSs of LAT-, 

• T is the global clock; 

• C Loc X C'C'(T) X Loc is a transition relation; 

• Locq G Loc is the initial location, i.e., the initial CGS Cq 
of LAT- 

• Inv : Loc i—>■ CCiT) is an invariant-assignment function; 

• AP is a finite set of all pre-defined CGS predicates; 

• L : Loc I— 2^^ is a labeling function for the locations; 

• Locp 'L Loc is a finite set of accepting locations, i.e., the 
active surface CGSs ActiLAT). 

Flere, CCiT) denotes the set of clock constraints over T in 
the form 

p::=T<c|T<c|T>c|T>c| 5 Ap(cSN) 

The transformation from the lattice in Fig. to a timed 
automaton is illustrated in Fig. The locations of the timed 
automaton correspond to the CGSs of the lattice. The invariant 
of each location C is in the form T < IposiC).hi, indicating the 
time that the system can stay at C. The guard of each transition 
to a location C is in the form T > IposiC).lo, indicating when 
the transition can be taken. 

The finite paths accepted by the timed automaton can 
be represented by a transition system TSiTAiLAT)) (or 
TSiTA) for short) ID. The states S in TS'(TA) are defined as 
S = {C,t), where C is the current location and t is the current 
value of the clock T. The finite paths PathfiniTSiTA)) 
of TSiTA) are the active-surface-induced CGS sequences 
equipped with timestamps, in the form 

TT = (5eq'[0],0) % (S'egp], di) A {Seq[l],di) ^ 

{Seq[l],di -I- A) • A {Seq[i],di + ■ ■ ■ + dj) 
















with Seq{Co,Ci) G Fath(LAT), Seq[i] G Loop, and 

Idef{Seq[i]).hi < di-\ - V dj < Ipos{Seq[i]).hi^ 

We use 7r[fc] to denote the {k +1)®‘ state of path tt, use TT[k].C 
to denote the location of 7r[fc], and use Tr[k].t to denote the 
time value of 7r[fc]. Notice that each path starts with the initial 
state (LocqjO), and continuously grows as the lattice grows, 
to a potentially infinite size. 

111. Specification of Temporal Properties 

Our specification inherits the notions of branching time 
and metric time from TCTL ll20]| . It is a tailored subset of 
TCTL, which trades certain expressiveness for the efficiency 
of verification. The 3-valued semantics is adopted to cope 
with the verification over the currently-observed finite trace, in 
contrast to the traditional boolean semantics over the infinite 
trace of possible system execution. We first present the syntax 
and then discuss the 3-valued semantics. 

A. Syntax 

The syntax of our specification is defined as follows; 

<!> ::= 3tp \ 

ip ::= <)U I 

4> ::= a \ g \ (j) A 4> \ tpV 4> \ -^(p \ (p ^ (p 

where a G AP, g G CC{T), and J C K>o is a time interval 
bounded by natural numbers 0. 

Our specification is a subset of TCTL without nested modal 
operators ED. It can express numerous properties in our 
scenario. Informally, 3()'^(p means (p possibly holds during 
the interval J, 3'Oi'^(p means $ potentially always holds in 
J, y()'’(p means (p always eventually holds in J, and 
means (p invariantly holds in J. Notice that 30'^(p = 
and = —'3()'^—'(p. For example, the property Ci (i.e., 

“all the robots should rather at the assembly point within 15 
seconds”) in Section ^can be expressed as ^Ci = 
with a = “all the robots are at the assembly point”. 

B. The 3-valued Semantics 

We first discuss the classical boolean semantics over 
infinite paths, then discuss why the 3-valued semantics is 
inevitable for finite paths, and finally present the 3-valued 
semantics. 

Given an infinite path tt G Pathinf{TS) of a transition 
system TS with infinite paths and a time j > 0, we can get 
the locations in the path at time j, denoted by 

Loc{jT,j) = {Ti[k\.C I fc > 0 A TT[k].t < j A Ti:[k -f l].f > j} 

Note that we can easily check that whether a location C 
satisfies a predicate (p, i.e., C |= (p^ Thus, we can check 
whether an infinite path tt satisfies a path formula tp\ 

TT \= ()''(p iff 3j G J,3C G LoclTT,j),C \= (p (1) 

TT 1= iff Vj G J,VC G Loc(7r, j),C 1= ^ (2) 

^The low er bound of di -y ■■■ -y dj can be tightly bounded by the value 

in Eq. 0 by replacing C with Seqli], 

'^The details are omitted here for brevity. 


Then we can easily check whether a transition system TS with 
infinite paths satisfies a TCTL formula $: 

TS\=3ip iff 3tt G Pathinf{TS)^TT \= ip (3) 

fs^Mip iS V?F G Path,nf{fS), p p (4) 

The timed automaton TAof the transition syst^ TS satisfies 
a TCTL formula $ iff the transition system TS satisfies the 
formula <1) a, i.e., 

2A4 h $ iff fs{TA) \= 4> (5) 

However, the paths of the transition system corresponding 
to the lattice are finite, and finite paths may not be sufficient to 
either satisfy or falsify TCTL formulas E2l . ifTOll . For example, 
based on the classical boolean semantics of TCTL, the timed 
automaton in Fig. does not satisfy the formula . The 
timed automaton grows as the lattice grows, and there may be 
a new successor location of Loci^ and L 0 C 23 satisfying ‘o’ (as 
in Fig. 1^, which may lead to the satisfaction of ■ That is to 
say, the classical semantics of TCTL does not provide intuitive 
and convenient support for this case of “being inconclusive” 
over the currently-observed finite trace. This case of being 
inconclusive may often appear when verifying TCTL formulas 
over the observed finite trace at runtime. 

Discussions above motivate us to adopt the 3-valued se¬ 
mantics, i.e., providing a third value “inconclusive” for the 
case of being inconclusive ED, Go). We use the symbols 
‘T’, ‘_L’, and ‘?’^o denote “true”, “false”, and “inconclusive”, 
respectively. Let If be the set of all the infinite timed paths with 
time non-decreasing. The semantics of whether a finite path tt 
satisfies a path formula ip is defined as follows: 

{ T if V(T, TTCr G n, TTCT 1= ip 

_L if V(T, TTCr G n, TTCT ^ (6) 

? Otherwise. 

The semantics of our specification is defined as follows: 

[TS{TA) 1= 3^] 

T if 37r G Pathf,^{TS{TA)), [tt \=ip] = T 
_L if Vtt G Pathf^niTSiTA)), [tt \= p] =-L (7) 
? otherwise. 

[TSiTA) 1= V^] 

T if Vtt G Pathf,n{TS{TA)), [tt |= :/?] = T 

_L if 3 tt G Pathf.niTSiTA)), [tt \= ip] = 1. (8) 

? otherwise. 

r T iff [TS{TA) ^ = T 

[TA\=<^] = I _L iff [TsItA) h ^] = -L (9) 

t ? otherwise. 

IV. Verieication oe the Specified Property at 
Runtime 

In this section, we discuss the verification of the specified 
property at runtime. Each time a new local state of some pro¬ 
cess is sent to Pche, Pche first incrementally updates the new 
active surface, constructs the corresponding timed automaton, 
and then checks the property $ over the timed automaton. 
The checking of T* over the timed automaton is achieved by 
checking $ over two special extended timed automata with 
infinite paths. 





We first discuss the incremental maintenance of the active 
surface and the corresponding timed automaton, and then 
discuss the verification of the specified property. 

A. Maintenance of the Timed Automaton 

Pche continuously collects the execution trace from the 
processes, and maintains the active surface (not the whole 
lattice of system snapshots) at runtime. The maintenance of 
the active surface is incremental in that new CGSs can grow 
from the active surface. With the notion of the active surface, 
evolution of the lattice can be viewed as discarding the “old” 
nodes in the active surface and obtaining the “new” ones 
incrementally at runtime M- The worst-case number of active 
surface CGSs is in 0(np"“^), where p is the upper bound of 
the number of local states of each process, and n is the number 
of processes. (Note that the worst-case number of CGSs of 
the whole lattice is 0(p").) Please refer to our previous work 
0 for more detailed discussions on the runtime maintenance 
algorithm of the active surface. 

Based on the incremental maintenance of the active surface, 
the timed automaton corresponding to the lattice can also be 
incrementally constructed. Notice that each location of the 
timed automaton corresponds to one CGS of the lattice. The 
successor CGSs of the inactive CGSs (e.g., the white CGSs in 
Fig.|2) have already been discovered, and the corresponding 
part of the timed automaton (e.g., the white locations in Fig.|^ 
also has been completely constructed. Thus, the timed automa¬ 
ton can be incrementally constructed based on the runtime 
maintenance of the active surface. Whenever a new active CGS 
is added to the active surface, a new location corresponding to 
the new CGS is added to the timed automaton. 

B. Verification of the Specified Property 

Though our specification is a tailored subset of TCTL, 
we cannot directly apply the standard TCTL model checking 
algorithms on the timed automaton TA due to the 3-valued 
semantics dedicated for finite paths of TS{TA). According 
to the 3-valued semantics in Eq. we should append each 
finite path tt with all possible infinite suffixes a and check 
whether the infinite paths ttct S If satisfy the path formula p. 
Rather than appending the finite path with all possible infinite 
suffixes, we define two special types of infinite suffixes ctt 
and a± with yk,a-f[k].C \= <j) and a±[k].C ^ to ease the 
verification. Then, Eq. ([^ can be rewritten as follows: 

{ T if ttctt \= p /\ 7ra± |= p 

_L if ttctt P a ttctj. ^ p (10) 

? otherwise. 

Based on the semantics above, we can extend each path 
TT S Pathfin{TS{TA)) with the two types of infinite suffixes 
(Tt and cr±. The extension of (Tt is achieved by adding an 
extra location LoCmf with L{LoCinf) = {fi} to the timed 
automaton, and adding transitions from each of the locations 
C G Locp to LoCinf with the guard 

T> min max(/pos(C).(o,(11) 

ie{k\C[k]=Grna,!B[k]} 

The guard can be understood by assuming that, in dimension i 
of the CGS C, a successor CGS C is coming. The guard from 


{-.a} {a} 



Fig. 5. Extended timed automaton TA-j 


{-la} {-,a} 



Fig. 6. Extended timed automaton TAp 


C to C' is T > Ipos{C').lo = max{IposiC).lo,IposiC'[i\).lo) 
with Ipos{C'[i]).lo = IdefiC[i]).hi. The extension of a± is 
in the same way except that L{Locinf) = {^4>}- After that, 
we can get two extended timed automata TA-j and TAp 
with infinite paths. The extensions to the timed automaton of 
Eigjffl are shown in Eig. and Eig. The location LoCmf 
in F^. 1^ is labeled with {a} and the location Locjnf in 
Fig. 1^ is labeled with {^a}. In Fig. based on Eq. ( |l l| i, 
the guard of the transition from Locis to LoCmf is T > 
max(/po^(Ci3).(o,/^(Ci3[2])./if). Notice that Ipos{Ci 3 ).lo = 
10 (as shown in Eig.^, and Idef{Ci 3 [ 2 ]).hi = Idef{s^ 3 '^)-hi = 
12 (as shown in Eig.^. Thus, the guard of the transition from 
Locis to LoCinf is T > 12. 

Based on Eq. (|^-(|^, we can check whether TA-j ^ $ 
and TAj_ ^ <!>. Then the semantics of our specification in 
Eq. 0 can be rewritten as follows: 

r T if N ^] = [^j-1= «•] = T 

[TA\=<^] = I _L if [tAt h ^] = [^^J- h «>] = -L (12) 

[ ? otherwise. 

Consequently, the verification boils down to the verification of 
TAj- ^ <!> and TA± ^ $. Based on the two timed automata 
in Eig. 1^ and Eig. we can know that [TA \= <hci] = i-e-^ 

the result is “inconclusive”. 

_^The verification of the formula $ on the timed automaton 

TA is achieved by checking the derived CTL formula $ on 
TA 0. The time interval J in the formula $ is eliminated 
by adding equivalent clock constraints into the part. We 
can transform the TCTL formula $ into a CTL formula $ as 






















Algorithm 1: Verification algorithm on Pche 


1 Upon initialization 

2 get property <f>, and transfer $ into CTL formula $; 

3 Upon receiving local state from 


4 

5 

6 

7 

8 


construct Act{LAT) with incrementally; 
construct TA{LAT) incrementally; 
extend TA{LAT) into TA-j and TAj\_\ 
check TA-j \=ctl ^ and TA±^ 
check TA ^ $ according to Eq. (12 1 -( 13 i; 


follow^ 


$ = 3ip 

then 

$ = 3p 

$ = yip 

then 

I* = yp 

p = 

then 

p = 0(T G J A (/>) 

p = u-’f 

then 

p = \3{T £ J ^ (jf) 


For example, the derived CTL formula of ‘hc'i = is 

l-C, =V0(T< 15) A a). 

The equivalence of the satisfaction is ensured as follows: 

TA 1= $ iff TA hcTL ^ (13) 

The proof is straightforward and omitted here 0^hus, the 
verification is finally reduced to the verification of TAt \=ctl 
$ and TA± \=ctl i-e., checking a CTL formula (without 
nested modal operators) on a classical timed automaton (with 
only one clock), which can be efficiently achieved by numerous 
optimization algorithms ||4|, ll23l . Il24l . Il25l . The skeleton of 
the verification algorithm is shown in Algorithm 

V. Experiments 

In this section, we first describe the implementation of 
PARO, and then discuss the performance evaluation. The 
effectiveness of PARO is demonstrated through a case study 
of a realistic mobile robot gathering scenario based on our 
RobotCar project. Details of the case study can be found in 
Appendix 

A. Implementation 

We implement PARO on the open-source middleware we 
developed - Middleware Infrastructure for Predicate detection 
in Asynchronous environments (MIPA) M- Based on MIPA, 
we specify properties in TCTL formulas (e.g., the formula 
<I>Ci) to the middleware using an XML schema. The devices 
(e.g., mobile robots) register themselves to the middleware 
(abstracted as processes), and continuously send the trace with 
local timestamps to the checker processes on the middleware. 
Checker processes are implemented as third-party services on 
the middleware, in charge of collecting related traces and 
verifying the formulas. The verification of TAt \=ctl 
and TAt \=ctl $ (line 7 of Algorithm is achieved 
by incrementally generating XML descriptions for the timed 

^As we do not allow nested modal operators in the specification and the 
timed automaton has no clock resets, there is no need for introducing a fresh 
clock to measure the elapse of time, as in (4). 
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Fig. 7. The size of the TA vs. the number of processes (e = 200 ms) 


automata and automatically invoking UPPAAL im, which 
is a toolbox for verification of real-time systems. Each time 
a formula is verified “true”, “false”, or “inconclusive”, the 
middleware will notify the users. 


B. Performance Evaluation 

In this section, we conduct simulations of the robot gath¬ 
ering scenario to evaluate the performance of PARO under 
different settings of key environmental factors. We first de¬ 
scribe the experiment setup and then discuss the evaluation 
results. 

We let the robots collect sensing data every second. 
We generate the sensing data using the Poisson distribution. 
Specifically, the average time of local activities (where the 
local predicate is true) on the robots is 10 s, and the average 
interval between the activities (where the local predicate is 
false) is 5 s. The number of the sensing data items on each 
robot is up to 2,400. The lifetime of the experiments is up 
to 40 mins. The experiments are conducted on a PC running 
Windows 8.1 (x64) and Java version 1.7 with an Intel Core i5- 
2400 Quad-Core Processor (3.10 GHz) and 8 GB of memory. 

In the eimeriments, we check the formula {LPiA 

• • • A TP„)n and tune two key environmental factors - the 
number of processes (i.e., the mobile robots) n and the clock 
difference bound e - to evaluate the five performance metrics 
Sm, Sjj, Tm, Tu, and |Toc|. Sm denotes the average memory 
cost of MIPA (mainly for the construction of the active surface 
of the lattice and the timed automaton), Sjj denotes the average 
memory cost of UPPAAL, Tm denotes the average time 
cost for the construction of the active surface and the timed 
automaton by MIPA (line 4-6 of Algorithm [^l, Tjj denotes 
the average time cost for the verification by UPPAAL (line 
7-8 of Algorithm [^, and |Toc| denotes the size of the timed 
automaton TA when the experiment stops. Sm + Su indicates 
the average of the total memory cost, and Tm + Tjj indicates 
the average of the total latency. 

1) Effects of Tuning the Number of Processes: In this 
experiment, we study how the number of processes n affects 
the performance of PARO. We fix the clock difference bound 
e to 200 ms, and tune n from 2 to 30. 


®The local predicate LPi = {Ri.front < 600 mm A Ri.left < 
400 mm), indicating robot Ri is at the assembly point. 
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Fig. 8. Average memory cost vs. the number of processes (e = 200 ms) 



Fig. 10. The size of the TA vs. the clock difference bound e (n = 10) 
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Fig. 9. Average time cost vs. the number of processes (e = 200 ms) 



0 “-“-“-“-“-“ 

10 200 400 600 800 1000 

Clock difference bound (ms) 


Fig. 11. Average memory cost vs. the clock difference bound e {n = 10) 


As shown in Fig. l7] the increase of n leads to fast increase 
in the size of the TA~(from 484 to 21,354). Compared to the 
size of LAT under the asynchronous model in our previous 
work in, the size of the lattice (i.e., |Loc|) in this work is rather 
smaller. To a certain extent, the lattice structure turns out to 
be applicable on the partially synchronous model, although it 
is exponential on the asynchronous model. The reason is that, 
we have made use of the existing synchrony of the system 
and efficiently restricted the size of the lattice, comparing to 
previous work under the asynchronous model Qa, El. 

As shown in Fig. the average memory cost of MIPA 
Sm increases quickly as n increases, while Sjj (the average 
memory cost of UPPAAL) increases a little faster than Sm- 
As we tune n from 2 to 30, Sm and Sjj increase from 1.8 
MB to 34 MB and from 5.3 MB to 84 MB, respectively. That 
is to say, the memory cost of verihcation is larger than that of 
the construction of the active surface and the timed automaton. 
Moreover, the increase of Sm + Su is roughly in accordance 
with the increase of the size of the TA in Fig. [7] The reason 
is that our TCTL formulas have no nested modal operators, 
thus can be space-efficiently verihed over the TA. 

As for the time cost, the average time cost of MIPA Tm 
increases slowly from 1.8 ms to 125 ms as n increases from 2 
to 30, as shown in Fig. However, the average time cost of 
UPPAAL Tjj increases quickly from 72 ms to 1,450 ms. Most 
of the time (over 90%) is spent on the verihcation. The average 
of the total latency is acceptable. Furthermore, the increase of 
Tjj is rougl^ in accordance with the increase of the size of the 
TA in Fig.|^ That is to say, PARO is relatively time-efficient. 

2) Ejfects of Tuning the Clock Difference Bound: In this 
experiment, we study how the clock difference bound £ affects 


the performance of PARO. We hx the number of processes n 
to 10, and tune e from 10 ms to 1 s. 


As shown in Fig. the increase of £ leads to quick 
increase in the size of the TA (from 2,220 to 11,722). This is 
because the increase of e leads to more possible interleavings 
of events, thus leads to more possible system snapshots. 
Compared to Fig.|^ the increase of the size of the TA caused 
by e is slower than that caused by n, i.e., the number of 
processes n has greater impact on the size of the TA than the 
clock difference bound e. As the bound of clock difference 
is often small in realistic systems, the number of processes n 
becomes the most important environmental factor. 


As shown in Fig. 11 the average memory cost of MIPA 
Sm increases slowly as e increases, while Sjj (the average 
memory cost of UPPAAL) increases a little faster than Sm- As 
we tune e from 10 ms to 1,000 ms, Sm and Sjj increase from 
2.6 MB to 12 MB and from 8.5 MB to 42 MB, respectively. 
The memory cost of verihcation by UPPAAL is larger than 
that of the construction of the active surface and the timed 
automaton by MIPA, as that in Fig. Moreover, the increase 
of Sm + Sjj is roughly in accordance with the increase of 
the size of the TA in Fig. The reason is the same as that 
for the number of processes. Consequently, PARO is relatively 
space-efficient. 


As for the time cost, the average time cost of MIPA Tm 
increases slowly from 2.2 ms to 93 ms as e increases from 10 
ms to 1,000 ms, as shown in Fig.[T^ However, the average time 
cost of UPPAAL Tjj increases quickly from 78 ms to 1,222 
ms. Most of the time (over 90%) is spent on the verihcation. 
The average of the total latency is acceptable. Notice that 
although Tjj increases quickly, it is roughly in accordance with 
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Fig. 12. Average time cost vs. the clock difference bound e {n = 10) 


the increase of the size of the TA in Fig. 10 That is to say, 
PARO is relatively time-efficient. 


VI. Related Work 

Our work can be posed against two areas of related work: 
model checking of real-time systems and detection of global 
predicates over distributed computations. 

In the area of model checking of real-time systems, the ex¬ 
isting work is mostly studied and developed in the framework 
of Alur and Dill’s Timed Automata, and TCTL gains extensive 
research since then a, ESI, EQl. Most work focuses on 
finding efficient algorithms for timed automata verification a, 
EUi ll24ll . Il25l . These optimization algorithms are generally 
orthogonal to PARO. Although PARO shares many similarities 
with model checking over timed automata, there are important 
differences. First, the complete model (e.g., a series of timed 
automata) of the system is mandatory in model checking over 
timed automata a, ED, EQl. In contrast, as an external 
observer of an already-running system, our work is applicable 
to “black box” systems with no system model at hand. Model 
checking deals with infinite traces of all possible executions, 
whereas our work deals with the currently-observed finite 
trace of one concrete execution, by modeling the finite trace 
as a continuously-growing timed automaton. The temporal 
logics of model checking, such as TCTL, are interpreted over 
infinite traces, and the checking cost is often prohibitive ||4|. 
However, to trade the expressiveness for the checking cost, our 
specification is a tailored subset of TCTL without nested modal 
operators, as in ED- Moreover, unlike the classical semantics 
of TCTL over infinite traces, we adopt 3-valued semantics 
for our specification over the currently-observed finite trace 
to cope with the case of “being inconclusive”. 

In detection of global predicates over distributed com¬ 
putations (aka “runtime verification”), existing work can be 
categorized by the timing model. Based on the synchronous 
model, predicates can be detected over a single total order 
of events E2l . Il27ll . 1^ . Bauer et al. Il22ll detect 3-valued 
semantics of LTL and TLTL over a sequence of timed events. 
Our 3-valued semantics of TCTL is partially inspired by this 
work E21- Kshemkalyani ETll detects predicates concerning 
the relationships of time intervals over event streams. Xu et 
al. 12^ detect first-order logic based formulas over collected 
contextual activities. However, the actual system is imperfectly 
synchronized in our scenario, which makes the work above 
inapplicable. Based on the asynchronous model, predicates 


are detected over multiple possible total orders of events 
consistent with the ‘happen-before’ relation resulting from 
message passing 112,1131, m, 113, as in our previous 
work ED, ESI, El, Col- We detect conjunctive predicates 
in ESI, Ea, regular expression predicates in El, and 3- 
valued CTL predicates in E3- However, the asynchronous 
model is overly-pessimistic in that the existing synchrony of 
the system is completely abandoned, and the detection over the 
asynchronous model is usually expensive ©, EQl- Based on 
the partially synchronous model, predicates can be detected at 
a relatively lower cost l30l . 1311 . Q, El - Marzullo et al. l30l . 
Mayo et al. EH, and Stoller il detect global predicates 
without timing constraints in partially synchronous systems. 
Duggirala et al. El detect whether there exists a real-time t, 
when bounded executions of the system that correspond to 
the trace satisfy a given global predicate. In the work El, the 
complete system model as a timed input/output automaton is 
mandatory. In contrast, our PARO works over the trace with 
no system model at hand. We model the observed trace as 
a continuously-growing timed automaton, and check a subset 
of TCTL formulas with 3-valued semantics over the timed 
automaton. 


VH. Conclusion and Future Work 

In this work, we propose the PARO framework for formal 
specification and runtime verification of properties with metric¬ 
time constraints over the trace of a partially synchronous sys¬ 
tem of mobile robots. The PARO framework consists of three 
essential parts: 1) modeling of the trace of system execution; 
2) specification of temporal properties; 3) verification of the 
specified property at runtime. 

In our future work, we need to design an optimized 
incremental algorithm for the detection of TAj- \=ctl ® 
and TA± |=ctl since the automaton TA[LAT) is 
incrementally constructed as the active surface of the lattice 
evolves. We also need to dig into the specific type of timed 
automaton corresponding to the timed trace, and study how 
to detect the full TCTL over the timed automaton while 
preserving a relatively low checking cost. In this work, we 
investigate partially synchronous systems with the processes 
synchronizing their clocks with an external source clock. In 
our future work, we need to investigate runtime verification of 
properties in partially synchronous systems with the processes 
synchronizing their clocks internally. A more comprehensive 
experimental evaluation is also necessary. 

Acknowledgements 

This work is supported by the National 973 Program of 
China (2015CB352202), the National Science Foundation of 
China (61272047, 91318301, 61321491), and the Program A 
for Outstanding PhD candidate of Nanjing University. We are 
grateful to Lei Bu’s insightful comments and Chao Fang’s 
implementations on the mobile robots. 

References 

[1] G. Zhan and W. Shi, “Lobot: Low-cost, self-contained localization of 
small-sized ground robotic vehicles,” IEEE Trans. Parallel Distrib. Syst., 
vol. 24, no. 4, pp. 744-753, 2013. 















[2] P. S. Duggirala, T. T. Johnson, A. Zimmerman, and S. Mitra, “Static 
and dynamic analysis of timed distributed traces,” in the 33rd IEEE 
Real-Time Syst. Symp. (RTSS’12), Dec 2012. 

[3] Y. Yang, Y Huang, X. Ma, and J. Lu, “Enabling context-awareness by 
predicate detection in asynchronous environments,” IEEE Transactions 
on Computers, accepted in Apr 2015. 

[4] C. Baier and J.-P. Katoen, Principles of Model Checking. The MIT 
Press, 2008. 

[5] J. C. Corbett, J. Dean, M. Epstein, A. Pikes, C. Frost, J. J. Fur¬ 
man, S. Ghemawat, and et al, “Spanner: Google’s globally-distributed 
database,” in USENIX Conf. on Operating Systems Design and Imple¬ 
mentation (OSDF12), 2012, pp. 251-264. 

[6] S. D. Stoller, “Detecting global predicates in distributed systems with 
clocks,” Distrib. Comput, vol. 13, no. 2, pp. 85-98, 2000. 

[7] A. D. Kshemkalyani and J. Cao, “Predicate detection in asynchronous 
pervasive environments,” IEEE Trans. Computers, vol. 62, no. 9, pp. 
1823-1836, 2013. 

[8] F. C. GMner, “Fundamentals of fault-tolerant distributed computing in 
asynchronous environments,” ACM Comput. Surv., vol. 31, no. 1, pp. 
1-26, Mar 1999. 

[9] Y Yang, Y. Huang, J. Cao, X. Ma, and J. Lu, “Formal specification 
and runtime detection of dynamic properties in asynchronous pervasive 
computing environments,” IEEE Trans. Parallel Distrib. Syst., vol. 24, 
no. 8, pp. 1546-1555, Aug 2013. 

[10] H. Wei, Y Huang, J. Cao, X. Ma, and J. Lu, “Formal specification and 
runtime detection of temporal properties for asynchronous context,” in 
IEEE Inti. Conf. on Pervasive Computing and Comm. (PerCom’ 12), 
2012, pp. 30-38. 

[11] MIPA - Middleware Infrastructure for Predicate detection in Asyn¬ 
chronous environments. http://aIg-nju.github.io/mipa/. 

[12] R. Cooper and K. Marzullo, “Consistent detection of global predicates,” 
in ACM/ONR Workshop on Parallel and Distributed Debugging, 1991, 
pp. 167-174. 

[13] B. Patt-Shamir and S. Rajsbaum, “A theory of clock synchronization,” 
in the Annual ACM Symp. on Theory of Computing (STOC’94), 1994, 
pp. 810-819. 

[14] D. L. Mills, “Internet time synchronization: the network time protocol,” 
IEEE Trans. Comm., vol. 39, no. 10, pp. 1482-1493, 1991. 

[15] O. Babaoglu and K. Marzullo, “Consistent global states of distributed 
systems: fundamental concepts and mechanisms,” Distrib. Syst., pp. 55- 
96, 1993. 

[16] R. Schwarz and F. Mattern, “Detecting causal relationships in dis¬ 
tributed computations: In search of the holy grail,” Distrib. Comput., 
vol. 7, no. 3, pp. 149-174, 1994. 

[17] V. K. Garg and B. Waldecker, “Detection of strong unstable predicates 
in distributed programs,” IEEE Trans. Parallel Distrib. Syst., vol. 7, pp. 
1323-1333, Dec 1996. 

[18] Y Huang, Y. Yang, J. Cao, X. Ma, X. Tao, and J. Lu, “Runtime detection 
of the concurrency property in asynchronous pervasive computing 
environments,” IEEE Trans. Parallel Distrib. Syst., vol. 23, no. 4, pp. 
744-750, Apr 2012. 

[19] Y Yang, Y. Huang, J. Cao, X. Ma, and J. Lu, “Design of a sliding 
window over distributed and asynchronous event streams,” IEEE Trans. 
Parallel Distrib. Syst, vol. 25, no. 10, pp. 2551-2560, Oct 2014. 

[20] R. Alur and D. L. Dill, “A theory of timed automata,” Theoretical 
Computer Science, vol. 126, no. 2, pp. 183-235, 1994. 

[21] G. Behrmann, A. David, and K. Larsen, “A tutorial on uppaal,” in 
Formal Methods for the Design of Real-Time Systems, ser. LNCS. 
Springer Berlin Heidelberg, 2004, vol. 3185, pp. 200-236. 

[22] A. Bauer, M. Leucker, and C. Schallhart, “Runtime verification for LTL 
and TLTL,” ACM Trans. Softw. Eng. Methodol. (TOSEM), vol. 20, no. 4, 
pp. 14:1-14:64, 2011. 

[23] D. Dill, “Timing assumptions and verification of finite-state concurrent 
systems,” in Automatic Verification Methods for Finite State Systems, 
1989, pp. 197-212. 

[24] F. Laroussinie, N. Markey, and R Schnoebelen, “Model checking timed 
automata with one or two clocks,” in Concurrency Theory (CONCUR), 
2004, pp. 387^01. 


[25] F. Wang, “Efficient verification of timed automata with BDD-like data 
structures,” Inti. J. on Software Tools for Technology Transfer, vol. 6, 
no. 1, pp. 77-97, 2004. 

[26] R. Alur, C. Courcoubetis, and D. Dill, “Model-checking in dense real¬ 
time,” Information and Computation, vol. 104, no. 1, pp. 2-34, 1993. 

[27] A. D. Kshemkalyani, “Temporal predicate detection using synchronized 
clocks,” IEEE Trans. Comput, vol. 56, no. 11, pp. 1578-1584, Nov 
2007. 

[28] C. Xu and S. C. Cheung, “Inconsistency detection and resolution for 
context-aware middleware support,” in ACM SIGSOFT Inti. Symp. on 
Foundations of Softw. Eng. (FSE’05), Sep 2005, pp. 336-345. 

[29] Y Huang, X. Ma, J. Cao, X. Tao, and J. Lu, “Concurrent event detection 
for asynchronous consistency checking of pervasive context,” in IEEE 
Inti. Conf. on Pervasive Computing and Comm. (PerCom’09), Mar 
2009. 

[30] K. Marzullo and G. Neiger, “Detection of global state predicates,” in 
Inti Workshop on Distrib. Alg. (WDAG’91), 1991, pp. 254-272. 

[31] J. Mayo and P. Kearns, “Global predicates in rough real time,” IEEE 
Symp. on Parallel and Distrib. Processing (SPDP’95), 1995. 



Appendix 


A. Case Study 

The case study of a realistic robot gathering scenario is 
conducted based on our RobotCar projecjj to demonstrate the 
effectiveness of PARO. We first describe the scenario and then 
discuss the effectiveness. 


1) The Robot Gathering Scenario: In this scenario, two 
mobile robots are designed to move along the wall and 
coordinate to meet at the assembly point of a 3 m x 3 m room 
(for further collaboration), as shown in Fig. 13 Each robot 
is equipped with four ultrasonic ranging sensors for the front, 
back, left, and right directions, as well as a wireless module 
for communication. The robots synchronize their clocks with 
a timing server in the same room. The actual difference e 
between the clocks of the robots and the timing server is 
bounded by 10 ms. The robots collect the readings from the 
four sensors every second and label the readings with local 
timestamps. The robots start from two corners of the room, 
move at the speed of about 0.12 m/s, and adjust their routes 
according to the readings of the four sensors (to keep a constant 
distance from the wall) and the status (e.g., the location and 
the speed) of the other robot. 


In the standard way of thinking about the computation, the 
system execution is regarded as a totally-ordered progression 
of the system state. From the view of users of the robots, the 
two mobile robots are expected to gather at the assembly point 
within 15 seconds as specified in property Ci (in Section |I]|. 
However, this synchronous model of time does not work in a 
partially synchronous system. Developers of the mobile robot 
system need to change to the notion of partially synchronous 
time. Then they can observe and analyze the execution of the 
mobile robots under the guidance of the PARO framework, as 
detailed below. 


2) Effectiveness: Based on PARO, temporal properties 
with different real-time constraints can be conveniently spec¬ 
ified and verified over the system execution trace at runtime. 
The property is first specified to MIPA. As the robots move, 
they send the timed trace (i.e., sensing data with local times¬ 
tamps) to MIPA (running on a dedicated server in the room), 
and MIPA verifies the TCTL formulas at runtime. 


We use the conjunction of two local predicates to express 
that the two robots arrive at the assembly point, i.e., a = LPiA 
LP 2 . The local predicate LPi = {Ri.front < 600 mm A 
Ri-left < 400 mm), indicating i?i is at the assembly point. 
Similarly, the local predicate LP 2 = {R 2 . front < 600 mm A 
R 2 .right < 400 mm), indicating R 2 is at the assembly point. 

As for one single timed path of the system execution, we 
only have to check whether the path satisfies 0[045000 ]qJ^ 
However, due to the intrinsic asynchrony in our scenario, we 
can get multiple possible timed paths of the system state. Thus 
we have to employ the modal operators (V and 3) in TCTL 
to cope with the uncertainty resulting from multiple possible 
system executions. Specifically, we specify a pair of TCTL 
formulas to MIPA: 



Fig. 13. The mobile robot and the scenario 


There are three different situations according to the satisfaction 
of 0[045000]|j mjder different modalities: 

1) All possible timed paths of the system state satisfy 
^[0,15000 ]q^ i.e., ^Ci is true- In this case, the real-time 
constraint is definitely satisfied in all possible executions; 

2) Some (but not all) timed paths of the system state satisfy 
^[0,15000]^^ i.e., is false and is true. This shows 
that although some paths satisfy the property, the property 
is possible to be violated. It indicates that the program 
logics of the robots have potential bugs, since the property 
cannot be guaranteed in all possible executions. Put it 
in another way, even though the property is satisfied in 
the current execution, it is possible that the property is 
violated, e.g., in the next execution; 

3) None of the timed paths of the system state satisfies 

^[0,15000]^^ i.e., is false. Since the property is 

violated in all possible executions, we can infer that, 
either the specified property is beyond the capacity of 
the mobile robots, or there are severe flaws in the system 
implementation. 

In our case study, we start the robots, check the formulas by 
MIPA, and find that $c'i is checked false and is checked 
true. It indicates a potential violation of the property. Thus, if 
the user requires that the robots always gather in time, the 
developers should revise the program logics of the robots, 
e.g., by explicitly handling the uncertainty result from the 
asynchrony. 

We further conduct two experiments to verify another 
two pairs of TCTL formulas. The first pair is dedicated 
for checking the property C 2 = “whether the robots can 
gather within 14,000 ms”: and = 

30 [ 0 ’ 14000 ]q Formulas $<72 and are checked false, which 
means that the robots cannot gather within 14 s. Another pair 
is dedicated for checking the property — “whether the 
robots can gather within 16,000 ms”: $03 = and 

Formulas and are checked true, 
which means that the robots can definitely gather within 16 s. 

In summary, by specifying properties with different real¬ 
time requirements, and verifying the properties under different 
modalities based on PARO, we can gain a deep insight into 
the runtime behavior of the mobile robot system. 


and = 30[°’4®°°°la 

^The RobotCar project: http://cs.nju.edu.cn/yuhuang/robotcar.htm 
*In this scenario, we take 1 ms as the unit of time. 


Furthermore, our 3-valued semantics is well motivated in 
the experiments. During the experiments, when the observed 
finite execution trace is not sufficient to satisfy or falsify the 
formulas (e.g., when the time of observation is less than 14 

















TABLE I. Experimental results of the case study 


n e (ms) 

Sm (MB) 

Su (MB) 

Tm (ms) 

Tu (ms) 

2 10 

1 

2.2 

0.5 

41.0 


s), we are encountered with the case of “being inconclusive”, 
while applying the classical boolean semantics may lead to 
false positive or false negative. 

We further describe the actual performance of PARO in 


this case study. We evaluate the metrics Sm, Sjj, Tm, and 
Tjj defined in Section [WB The performance of the case study 
is shown in Table [I] We can see that the average of the total 
memory cost Sm + Sjj is less than 5 MB while the average of 
the total latency Tm + Tjj is small (less than 50 ms). This 
proves that PARO can verify the formulas in time and is 
feasible in this kind of realistic scenarios. 









